Upload
heeraj-nair
View
92
Download
6
Embed Size (px)
Citation preview
Web Application Security - Team bi0s © 2017
XXE XML External Entity
25 February 2017
@Team bi0s 1/25
HEERAJBtech, Third Year, Computer Science EngineeringAmrita University
whoami
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Undergraduate Student @ Amrita
➔ Web Security Enthusiast
➔ CTF{flag_seeker}
➔ @heerajnair
➔ ww.i4info.in
2/25
Agenda
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Intro to XML & DTD
➔ XML Entity
➔ Parsing XML
➔ Attack Vectors
➔ Demo
3/25
XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔EXtensible Markup Language
4/25
Picture:123RF.COM
Where it is used ?
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Document Formats
➔ Image Formats
➔ Configuration Files
➔ Network Protocols
➔ RSS Feeds … etc . . .
5/25
Picture: c-sharpcorner.com
Document Type Definition
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ References an ExternalDTD
➔ Define structure with the list of legal elements
6/25
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Entities help to reduce the entry of repetitive information
Output:Writer: Donald Duck. Copyright: bi0s.
7/25
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
XML Entity
Internal Entity External Entity
8/25
Parsing
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Character other than < , > , & , ‘ , “ all are parsable.
➔ PCDATA is text that will be parsed by a parser. ➔ CDATA is text that will not be parsed by a parser.
◆ Ex : <![CDATA[<data>Hello, world!]]>
9/25
Attack’s Possible
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Denial Of Service
➔ Local File Inclusion
➔ SSRF
➔ Internal scans
➔ Rce (Not Always!!!)
10/25
Billion Laughs Attack
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.
11/25
Website: digitalimprint.com
Attack Vectors
Web Application Security - Team bi0s © 2017 @Team bi0s
Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.
12/25
13
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Zip archive file containing XML and media files
➔ *.docx , *.xlsx , *.pptx
➔ Developed by Microsoft
14/25
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
15/25
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Files in OOXML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document
● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml
16/25
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
What if you are Reading
Some configuration files?
17/25
Different Protocols
Web Application Security - Team bi0s © 2017 @Team bi0s 18/25
php://filter/convert.base64-encode/resource=/etc/passwd
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ CDATA very helpful to read web configuration, which contain non parsable characters.
But this won’t work !!
19/25
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s 20/25
1. XML Request
2. Get th
e DTD
3. Info Back
Parsing
Attacker’s Server
Host
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ We have to use Parameter entities
➢ Parameter.dtd
21/25
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s 22/25
1. XML Request
2. Get th
e DTD
3. Info Back Parsing
4.GET? data=root:x:0:0:root:
Attacker’s Server
Host
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ No Direct Feedback Channel
23/25
Demo
Web Application Security - Team bi0s © 2017 @Team bi0s
XXE Cheat Sheet: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html
24/25
Solution
Web Application Security - Team bi0s © 2017 @Team bi0s
➢ Validation of user input➢ Turn off external DTD fetching ➢ Disable External Entity Parsing
libxml_disable_entity_loader(true);(PHP)
25/25
26
Playing With Content Type
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Server may accept multiple data formats
➔ Results in Json endpoints may be vulnerable to XXE
➔ Content-Type changed to application/xml
➔ JSON has to be converted to XML
27/25
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
28/25
Open XML File Container
Document Properties
Custom Defined XML
CommentsWordML/
SpreadsheetML etc
Embedded Code/Macros
Images, Video, Sound Files
Charts